ERM Outputs Do Not Equal Reports

There’s a common misconception that ERM outputs means reports…

It’s easy to understand why – reports are something that people are comfortable with. They are tangible and usually don’t rock the boat since they simply lay out already known information in a glossy presentation.

It’s no wonder then that over 40% of executive respondents in NC State’s annual State of Risk Oversight survey claim they are “not at all” or “minimally” satisfied with the quality of reports they receive. Even risk professionals who responded to my 2018 ERM challenges survey explain their frustration with just reporting what everyone already knows.

Although I have published an in-depth piece on risk reporting, the reality is that reports are just a subset of overall ERM outputs.  To put it a little differently, an output is not just writing a “report,” but about decisions that need to be made and actions that need to be taken before a report is even drafted.

ERM professionals need to think bigger picture and about how to work with executives to affect decision-making.

In the beginning of my ERM career, I read that at its core, the job of an ERM professional is to ask questions and challenge assumptions.

Many risk professionals simply stick with reports because they are easier to deal with. Being involved with making actual decisions and determining the actions needed to achieve those goals is, by default, uncomfortable and confrontational.

During the decision-making process, the ERM professional’s job is to provide a unique, unbiased perspective and to ensure that executives are considering both internal dependencies and external factors for the options before them. ERM is there to provide a dose of reality and even a slight dose of paranoia. In a recent presentation, risk manager turned CEO Julian Talbot explains that “healthy paranoia” on the part of executives is a good thing.

Too often, executives can be overly optimistic, even giddy, about a certain goal they have.

In order to be a valuable part of the organization, ERM has to provide a reality check. You don’t have to be a rocket scientist (…or even a veteran risk professional) to know that real-life scenarios are not all puppy dogs and rainbows.

The end goals of these conversations, and ERM’s participation, are twofold:

1.  Ensure executives are taking the right amount of risk to achieve their desired result.


2.   Executives understand both the threats and opportunities to achieving their goal and acknowledge the risk being taken.

Just because executives have arrived at a decision doesn’t mean ERM’s job is finished.

Once a decision is made, a course of action to achieve that goal has to be planned out.

The fact is, though, that all actions have risk around them, so in addition to ensuring executives make informed decisions, ERM has to help determine the pros and cons around each possible course of action for achieving that goal.

For a particular course of action, questions to ask include:

  • What specific resources (time, people, financial) will we need?
  • Will these resources be available when we need them?
  • Is there anything from outside the company that could get in the way?
  • Can we address it?

(By the way, did you notice that in each of these questions, you never seek the work “risk”? That is intentional, as along the lines of the conversation in last week’s post, risk management is really simply good business management…)

Once risks around actions are understood and addressed, it’s time for everyone from executives on down the line to go forth and conquer.

At this point, ERM can then create “reports” based on stakeholder needs, if reports are even needed.

Now that goals are set, actions for achieving those goals have been determined, and risks around these have been identified, it is time to report the results out to different stakeholders.

What these reports contain will be driven by a host of factors, the foremost being the audience, or stakeholders. Examples of stakeholders include the Board, regulators, executives, employees, key investors, vendors, and more.

Once you have identified the stakeholder or audience your report is intended for, there are several other organization-specific questions to consider, the first of which is – what specifically are they interested in? Is it…

  • The final decision?
  • Specific information within that decision (i.e. did you look at specific scenarios?)
  • What drove the final decision?
  • Who was involved in the decision? Was it cross-functional or were certain individuals included because of potential impact?

Norman Marks explains it well in his book World-Class Risk Management when he says – “Rather than focusing on the form of a report, I believe we should focus on what information the users of that report need.”

Understanding the information the report’s users or audience needs is by far the most important issue to address. But in order to provide them with a superb report, you then need to know their preferred communication style. Will your report need to include data and supporting evidence or just strictly the outcome?

Remember, you are not reporting “top risks,” but instead reporting on what the organization wants to achieve, how it will achieve it, and any supporting information.

Once you understand the audience’s needs and their preferred communication style, you’re ready to determine the best way to succinctly and clearly communicate that with the audience.

It may seem like a lot of preparation, but taking these steps simplifies the process and helps you produce a report or output that will be valuable to the intended audience. Albert Einstein says it best:

If I had an hour to solve a problem, I’d spend 55 minutes thinking about the problem and 5 minutes thinking about solutions.

Only by taking the time to think about the problem in-depth (the reason we think about root cause analysis and scenario analysis) will the solution be the best fit for the problem.

Although I can’t provide specifics, there are some general guidelines on what some audiences will be looking for. Two common audiences besides executives are regulators and the Board.

1.   Regulators

Relevant regulatory agencies, be they local, state, federal, or any others depending on your industry and location, will be looking for assurance you are running the company well overall. They’re interested in solvency, compliance with laws, and if you are as consumer-friendly as possible.

A list of risks with scores and mitigation information will not satisfy their needs.

Instead, they want to know what your organization is doing to address any risks around specific concerns like solvency/financial viability.

2.   The Board

A company’s Board of Directors should be acting as a watchdog of management and challenging their assumptions to ensure any blind spots are not missed. They will want to know how management is running the company and how they plan on reaching goals in a legal and ethical way.

The Board will likely want to know the considerations around a decision and any resources (people, time, money) it will take to carry out that decision. Other parameters they may be interested in include a timeline and any dependencies.

One thing to notice between these two audiences is what one mentions and the other does not.

You should notice that the section regarding the Board doesn’t mention the word risk (again), just decisions and how the company plans to reach those goals. That’s because well managed organizations integrate risk into decision-making at every level – it’s not treated as a separate issue, but rather an integral part of managing a company.

You likely learned that simply reporting a list of risks will not provide the value executives, the Board, and others need from ERM. While it may be difficult and take you out of your comfort zone, providing healthy skepticism and an unbiased perspective about threats and opportunities is what executives truly need…

In your role, are you an active participant in the decision-making process, or do you simply report on top risks and mitigation activities?

I invite you to share your thoughts and experiences regarding ERM “outputs” and how you provide a unique perspective to decision-makers in your organization. Leave a comment below or join the conversation on LinkedIn.

And if you are struggling to move ERM beyond a reporting function in your organization, please contact me to discuss your specific situation today.

Featured image courtesy of Romain V via

Posted in

Sign Up For Our Newsletter

Sign Up For Our Newsletter


Meet Carol

Helping companies achieve their vision and strategy, and succeeding in today's turbulent world, is something I'm honored to be a part of. Whether you're an occasional blog visitor or a long-term client, thank you for letting us be a part of your journey.

Most Recent Posts

The 12 Days of ERM Christmas

Without a doubt, one of my family’s favorite holidays is Christmas. Part of the fun, especially for our son, is seeing what “Santa” brought, but most importantly, we treasure the spirit of peace and goodwill the season brings. And after what seemed to be a never-ending warm spell, the weather is expected to be good…

Read More

Don’t Let Goals and Initiatives Be Blindsided by External Events

As the end of the year draws near, I think we’d all agree that while it wasn’t without its challenges, this year also wasn’t quite as turbulent as the previous two. While a lot of people are juggling company parties, shopping for friends and family, and special activities for the kids, most companies are putting…

Read More

Going the Distance: Ensuring Successful Execution of Strategic and Annual Initiatives

Strategic planning is a challenge – of all people, I understand… After all the meetings, risk and data analysis, and brainstorming of the preceding months, it’s tempting to think this is the end of the road and you can relax. Contrary to this common perception though, this is exactly not the time to relax, but…

Read More

Avoid Rookie Mistakes and Protect your Internal Reputation

Be honest – have you ever done something that you soon realized was a real rookie mistake? Me raising my hand… Considering the nature of ERM’s role to ask questions and challenge assumptions (often during conversations with executives), it can be argued that, in at least some cases, the expectations bar for risk professionals is…

Read More

ERM at Thanksgiving – An Illustration of Risk Management in Action

On occasion, I like to take some of the concepts we risk professionals think about in our jobs and apply them to different personal situations…take some of the same concepts we use when working with executives to develop corporate strategy and manage risks or uncertainty around that strategy. It’s Thanksgiving week in the U.S. –…

Read More

Why Quantitative Risk Assessment is Not Just the Best But the Only Option – A Conversation

Periodically, I have the pleasure of speaking one-on-one with Hans Læssøe on a variety of topics around ERM, strategic risk, and other issues and trends. As you know from my previous conversations (here, here) and posts featuring his work, Hans was formerly a practitioner at the iconic LEGO Company, but even more notably, is a…

Read More

The Three Lines Model – 3 Reasons Why I Don’t Like It

Everyone likes a clear-cut template that offers an easy way to create or manage something…I mean what’s not to like about a step-by-step process for accomplishing what you want? Sometimes this can work without any issues, such as the case with the Project Management Book of Knowledge (PMBOK), ISO 9001 standard, or a new cooking…

Read More

5 Avenues for Expanding your ERM Knowledge

One thing I was taught to appreciate from a young age was the value of education and knowledge. It didn’t necessarily matter what the subject was, just that I always maintain a learning or growth mindset regardless of my current status in life. This mindset has served me well over the years, and it’s a…

Read More

Storytelling and Risk Management – Developing Skills that Technology Cannot Replace

It’s amazing how technology has developed and changed our working world over time. Imagine trying to run my risk and strategy consulting firm without tools like Zoom, Box, Slack, and other ERM-specific technology tools. There is no way we would be able to serve our clients the way that we do. Just consider how the…

Read More

3 Phases to Creating and Launching an ERM Program Focused on Organizational Success

If you’ve been handed the task of creating an ERM program for your organization, let me first offer my congratulations quickly followed by my empathy for the task ahead of you. I don’t say that to scare you but to provide a small dose of reality. Building, launching, and refining an ERM program that is…

Read More